Best practices for automatic deactivation of blackhole filtering

Updated at:
Copy as MD

If your asset that is assigned a public IP address encounters volumetric DDoS attacks after your asset is added to an Anti-DDoS Native instance of a paid edition, blackhole filtering may still be triggered. To prevent extended periods of service interruptions, you must deactivate blackhole filtering at the earliest opportunity. Anti-DDoS Native paid editions provide a solution to configure alerts and automatically deactivate blackhole filtering.

Prerequisites

This solution requires you to call an API operation of Anti-DDoS Native. Therefore, this solution is available only for Anti-DDoS Native instances. Before you use this solution, make sure that your asset is added to an Anti-DDoS Native instance. For more information, see Add an object for protection.

Background information

You can manually deactivate blackhole filtering for Anti-DDoS Native instances in the Traffic Security console. For more information, see Deactivate blackhole filtering. However, manual deactivation may result in delays and unexpected errors. If your service requires a high level of stability and continuity, use the following method to configure alerts and automatically deactivate blackhole filtering:

  1. Create an alert rule in the CloudMonitor console to monitor blackhole filtering that is triggered on an Anti-DDoS Native instance of a paid edition.

    Note

    If blackhole filtering is triggered and detected on assets that are added to Anti-DDoS Native paid editions, CloudMonitor sends messages about blackhole filtering. In other scenarios, no messages about blackhole filtering are sent.

  2. Create a custom rule to automatically deactivate blackhole filtering on an Anti-DDoS Native instance by calling the DeleteBlackhole operation. For more information, see DeleteBlackhole.

You can also create rules to automatically call an API operation of Alibaba Cloud DNS (DNS). The operation resolves your domain name to the IP address of an Anti-DDoS Proxy instance during DDoS attacks.

Procedure

  1. Log on to the CloudMonitor console.

  2. In the left-side navigation pane, choose Event Center > System Event.

  3. On the Event Monitoring tab, click Save as Alert Rule. In the Create/Modify Event-triggered Alert Rule panel, create a blackhole filtering event alert rule for Anti-DDoS Native.

    Set Product Type to Anti-DDoS Origin, Event Type to DDoS Attacks, Event Level to CRITICAL, and Event Name to ddosbgp_event_blackhole. Then, select a channel to receive alert notifications. For more information about other parameters, see Manage system event-triggered alert rules.

    The event alert is created. When CloudMonitor detects that blackhole filtering is triggered on an asset that is added to the Anti-DDoS Native instance, CloudMonitor generates an alert and pushes the following message by using the specified channels. Sample alert message:

    {    
        "action": "add", //The event status. The value add indicates that the event started, and the value del indicates that the event ended.     
        "bps": 0, //The throughput when the event is triggered. Unit: Mbit/s.     
        "pps": 0, //The packet rate when the event is triggered. Unit: packets per second (pps).     
        "instanceId": "ddosbgp-cn-78v17******", //The ID of the Anti-DDoS Native instance.     
        "ip": "47.*.*.*", // The IP address of the asset on which the event is triggered.     
        "regionId": "cn-hangzhou", //The ID of the region in which the Anti-DDoS Native instance resides.     
        "time": 1564104493000, //The time when the event begins. The value is a timestamp. Unit: milliseconds.     
        "type": "blackhole"  //The event type. The value defense indicates a traffic scrubbing event and the value blackhole indicates a blackhole filtering event. 
    }
  4. Create a custom rule to automatically deactivate blackhole filtering by calling the DeleteBlackhole operation. For more information, see DeleteBlackhole.